Apple introduced Gatekeeper in OS X Lion as a way to ensure users don't unintentionally run apps or installers from unknown sources. However, if someone is willing to personally (or professionally) identify themselves to Apple, then Gatekeeper will allow their signed apps to run on OS X, regardless of what those apps will do to your system. The reality is that this leaves too much room for malware and adware, including the example I found below.
For the purposes of Gatekeeper, Apple verifies the identity of the developer, but not their intent. It's up to you to ensure that the applications you install and run on your Mac come from the people you think they came from, and we'll show you how to do that.
A Nefarious Installer Bypasses Gatekeeper
As originally discussed in Mac Geek Gab 542, while clicking through to an article from (the reputable and source-curated site) news.google.com, a seemingly innocuous (but fake) Flash update message appeared.
The file I then downloaded was a disk image named, “adobe_flashplayer_e2c7b_Setup.dmg.” Double clicking on the .dmg revealed a very generic-looking "Installer" package. The attackers easily could have made it look better, even cloning Adobe's icons and styling. Still, this looks like a normal installer.
An Installer (Poorly) Masquerading as an Adobe Installer
Trying to run this installer by double clicking brought up a dialog that OS X presents for any app you’ve downloaded from the Internet. This is normal for applications, but not normal for Installer packages. That's because this attack is a full-fledged application masquerading as an installer by icon and name alone.
When encountering a new download, this is the first time you'll be presented with something that specifically identifies the file's source. Notice where the file was downloaded from: 24check.fixupdatesnow.net. This is not Adobe.
Still, it looks normal enough, and continuing to run it brought up something that looked like OS X's normal Installer, except it wasn't. There are some very specific things unique to OS X's Installer that can help you identify what's going on.
True Installers Can Show Their Source
A Legit Apple Installer Certificate
In the image above, we have a legitimate Apple installer. There's a lock icon in the upper right-hand corner, indicating it is signed by a certificate. That's important because it means Apple has confirmed the identity of the creator. Clicking on the lock displays the certificate of the creator of the Installer. This is something you should do with every installer that provides this option. It's a very simple way to confirm that you're installing an app from the expected developer.
In the case of our nefarious Flash installer, the attackers built an application that looks like Apple's installer, but in the end is just another, normal application. Since the developers chose to identify themselves with Apple and get a certificate, Gatekeeper did nothing to stop us from running it.
And that's the problem. Gatekeeper is doing the job Apple intended for it to do, but it still leaves Mac users open to maliciously crafted malware and adware, as it did with the fake Flash installer.
Next: Who Signed the App and What Can Apple Do?
Page 2 - Who Signed the App and What Can Apple Do?
Who Signed the App?
Finding out who signed an application requires using the Terminal command, codesign. Here's how to ask for information on Adobe Reader itself:
codesign -dvvv /Applications/Adobe\ Reader.app/Contents/MacOS/AdobeReader
The relevant parts of the output are as follows:
Signature size=4232 Authority=Developer ID Application: Adobe Systems, Inc. Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=Dec 3, 2014, 12:11:56 AM
Now let’s see what we come up with if I do the same with our mysterious Flash installer:
codesign -dvvv /Volumes/Installer/Installer.app/Contents/MacOS/Installer
The relevant parts of the output are as follows:
Signature size=8520 Authority=Developer ID Application: donny laket (T6AK866TJY) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 16, 2015, 7:44:59 AM
Seems someone identified as "donny laket" is up to no good. But because Donny was willing to get a developer account with Apple and sign his app with his related certificate, Gatekeeper will let this app run just like any other normal app from any other developer.
We notified Apple (both the PR department and developer relations) of this nefarious app and developer's certificate as soon as we discovered it earlier this week. The developer relations department acknowledged receipt of the notice, but at this point we're unclear on what steps Apple can (or will) take with Gatekeeper to keep other Mac users from being allowed to run this app or others from Donny. Certainly this certificate is still allowed by Gatekeeper as of this writing.
The nefarious "Installer" app (which looks to be an adware installer) still happily runs on all of the systems we used to test it here, suggesting that Gatekeeper doesn't use standard mechanisms such as CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) to see if a certificate has been revoked. Apple's own Technical Note on OS X Code Signing indicates a revoked certificate may not always be identified. At this point, running Certificate Assistant (a tool accessible via Keychain Access) indicates this certificate is Good.
The Malware's Certificate Is Still Marked Good from Apple
Gatekeeper is a great thing, but it is only one tool in keeping your system secure. Ultimately it's up to you to decide how to use all the tools at your disposal to keep yourself secure. We all must choose our place on the continuum that balances security versus convenience; and perhaps some of these techniques will make it easier for you to be a little more secure without too much headache.